Results 1 to 8 of 8

Thread: fail2ban not banning IP

  1. #1
    Join Date
    Nov 2013
    Location
    Canadiana
    Posts
    461

    Default fail2ban not banning IP

    Hi, I am attempting to set up fail2ban so that it will ban any IP that fails to provide the proper credentials after 5 attempts for ssh. I copied the jail.conf in /etc/fail2ban to jail.local and have edited the ssh-iptables section so that it is enabled (and uses the port I have ssh listen to).

    Code:
    ...
    [ssh-iptables]
    
    enabled  = true
    filter   = sshd
    action   = iptables[name=SSH, port=22222, protocol=tcp]
               sendmail-whois[name=SSH, dest=you@example.com, sender=fail2ban@example.com, sendername="Fail2Ban"]
    logpath  = /var/log/sshd.log
    maxretry = 5
    ...
    Then I just restarted the fail2ban service and can confirm it added something to iptables. The problem is when I try to ssh and intentionally fail at providing the password for the key, I am not banned after 5 attempts. This is my very first time using fail2ban so i think I am just doing something stupid, but I have looked at all the tutorials that I can find and I just dont understand what is wrong.

    I am using a key + password for it to log in and when I enter the password wrong ~7 times I still have not been banned. The same goes for if I dont posses the pub key at all.
    openSUSE Leap (42.1) 64 bit
    Plasma 5.4

  2. #2
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: fail2ban not banning IP

    On 2014-04-24 03:26, alanbortu wrote:

    > Code:
    > --------------------
    > action = iptables[name=SSH, port=22222, protocol=tcp]
    > --------------------


    ....

    > banned after 5 attempts. This is my very first time using fail2ban so i
    > think I am just doing something stupid, but I have looked at all the
    > tutorials that I can find and I just dont understand what is wrong.


    I'm not familiar with fail2ban myself, but the port for ssh is 22, not
    22222. Typo?

    And for your tests, you probably have to connect from internet, not from
    the same machine - I mention this because people tend to forget this
    when testing ;-)


    If your intention is only to block only ssh, the distribution firewall,
    susefirewall, can natively block repetitive failed ssh attempts and a
    few others. It is trivial to setup.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 13.1 x86_64 "Bottle" at Telcontar)

  3. #3
    Join Date
    Nov 2013
    Location
    Canadiana
    Posts
    461

    Default Re: fail2ban not banning IP

    Quote Originally Posted by robin_listas View Post
    On 2014-04-24 03:26, alanbortu wrote:

    > Code:
    > --------------------
    > action = iptables[name=SSH, port=22222, protocol=tcp]
    > --------------------


    ....

    > banned after 5 attempts. This is my very first time using fail2ban so i
    > think I am just doing something stupid, but I have looked at all the
    > tutorials that I can find and I just dont understand what is wrong.


    I'm not familiar with fail2ban myself, but the port for ssh is 22, not
    22222. Typo?

    And for your tests, you probably have to connect from internet, not from
    the same machine - I mention this because people tend to forget this
    when testing ;-)
    heh no I just used 22222 as an example for the fact that I am not using the standard port. And yeah I ssh to my school servers and then attempt to ssh back

    And thanks I will look into doing this with susefirewall
    openSUSE Leap (42.1) 64 bit
    Plasma 5.4

  4. #4
    Join Date
    Nov 2013
    Location
    Canadiana
    Posts
    461

    Default Re: fail2ban not banning IP

    Sorry, cant edit the post. Where does sshd log attempted logins on openSUSE? Its not the same place as debian/ubuntu.
    openSUSE Leap (42.1) 64 bit
    Plasma 5.4

  5. #5
    Join Date
    Jun 2008
    Location
    Europe
    Posts
    435

    Default Re: fail2ban not banning IP

    I think your logpath is not the proper one.
    I use /var/log/messages as the good logpath, and fail2ban works perfectly.

  6. #6
    Join Date
    Nov 2013
    Location
    Canadiana
    Posts
    461

    Default Re: fail2ban not banning IP

    Quote Originally Posted by Christophe_deR View Post
    I think your logpath is not the proper one.
    I use /var/log/messages as the good logpath, and fail2ban works perfectly.
    Thought so, thanks.
    openSUSE Leap (42.1) 64 bit
    Plasma 5.4

  7. #7
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: fail2ban not banning IP

    On 2014-04-24 04:16, alanbortu wrote:

    > And thanks I will look into doing this with susefirewall


    /etc/sysconfig/SuSEfirewall2:

    Code:
    
    > ## Type: string
    > ## Default:
    > #
    > # Services to allow. This is a more generic form of FW_SERVICES_XXX_{IP,UDP,TCP}
    > # and more specific than FW_TRUSTED_NETS
    > #
    > # Format: space separated list of net,protocol[,dport[,sport[,flags]]]
    > # Example: "0/0,tcp,22"
    > #
    > # Supported flags are
    > #   hitcount=NUMBER     : ipt_recent --hitcount parameter
    > #   blockseconds=NUMBER : ipt_recent --seconds parameter
    > #   recentname=NAME     : ipt_recent --name parameter
    > # Example:
    > #    Allow max three ssh connects per minute from the same IP address:
    > #      "0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh"
    > #
    > # The special value _rpc_ is recognized as protocol and means that dport is
    > # interpreted as rpc service name. See FW_SERVICES_EXT_RPC for
    > # details.
    > #
    > # Note1: keep in mind that FW_SERVICES_EXT_TCP, FW_SERVICES_EXT_UDP
    > # take precedence over FW_SERVICES_ACCEPT_EXT so don't open the same
    > # port with both options.
    > #
    > # Note2: the iptables recent module may not be available for ipv6. To
    > # avoid an error message use 0.0.0.0/0 instead of 0/0. This will
    > # install the rule for ipv4 only.
    > #
    > #FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh"

    This does not need to read/write any file, it works on memory. The
    kernel handles it.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 13.1 x86_64 "Bottle" at Telcontar)

  8. #8
    Join Date
    Nov 2013
    Location
    Canadiana
    Posts
    461

    Default Re: fail2ban not banning IP

    Quote Originally Posted by robin_listas View Post
    On 2014-04-24 04:16, alanbortu wrote:

    > And thanks I will look into doing this with susefirewall


    /etc/sysconfig/SuSEfirewall2:

    Code:
    
    > ## Type: string
    > ## Default:
    > #
    > # Services to allow. This is a more generic form of FW_SERVICES_XXX_{IP,UDP,TCP}
    > # and more specific than FW_TRUSTED_NETS
    > #
    > # Format: space separated list of net,protocol[,dport[,sport[,flags]]]
    > # Example: "0/0,tcp,22"
    > #
    > # Supported flags are
    > #   hitcount=NUMBER     : ipt_recent --hitcount parameter
    > #   blockseconds=NUMBER : ipt_recent --seconds parameter
    > #   recentname=NAME     : ipt_recent --name parameter
    > # Example:
    > #    Allow max three ssh connects per minute from the same IP address:
    > #      "0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh"
    > #
    > # The special value _rpc_ is recognized as protocol and means that dport is
    > # interpreted as rpc service name. See FW_SERVICES_EXT_RPC for
    > # details.
    > #
    > # Note1: keep in mind that FW_SERVICES_EXT_TCP, FW_SERVICES_EXT_UDP
    > # take precedence over FW_SERVICES_ACCEPT_EXT so don't open the same
    > # port with both options.
    > #
    > # Note2: the iptables recent module may not be available for ipv6. To
    > # avoid an error message use 0.0.0.0/0 instead of 0/0. This will
    > # install the rule for ipv4 only.
    > #
    > #FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh"

    This does not need to read/write any file, it works on memory. The
    kernel handles it.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 13.1 x86_64 "Bottle" at Telcontar)
    Cool, I think I will just rely on the susefirewall instead of fail2ban for now.
    openSUSE Leap (42.1) 64 bit
    Plasma 5.4

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •